A classic example of this is employeeEndDate, where the time value returned by the HR DB is often 00:00:00, but could be anything else!

The result of this is that if the user disablement rule says – use date/time of now – compare it to the employeeEndDate; if the end date has passed, then disable the account. Thus if the time value is inconsistent, you will get inconsistent user disablement’s occurring

So, to fix this in code, I did this – on the import from HR:

Santizing EmployeeEndDate

Visual Basic .NET

1

2

3

4

5

6

7

8

9

10

11

12

Case"employeeEndDate-CDRMA-PA-Import"

'CDR attributes required are: EndDate

'Code to define the employeeEndDate in the MV and Portal - needs to be in the correct format!

As part of the FIM implementation within my organisation, I needed to replicate the management of automatic security and distribution groups.

Now this is ugly, not nice/ ideal etc, but to get it done – I need to avoid any changes to the Status Quo – my org does not like change! I can work on making things better later in time.

The current process has an interesting concept of what automatic means.

In that, where normally, an attribute e.g. representing the Finance dept. might be used to identify members of a group; the filter identifying members might use organisational attributes; there might also be users who do not fit within that structure who need to be added. Or there might be people who should be within a group because their organisational attributes match the filter, but for whatever reason, they do not want to be a member of the group.

So essentially, the current filter process might provide organisational attributes to populate the group, but there may also be additional explicit includes and excludes. All automatic groups also remove users who have been disabled.

Note that the organisation structure is not hierarchical

When I initially started looking at how to implement this in FIM, I thought that is was simply not possible. I looked at using http://www.wapshere.com/missmiis/who-needs-group-populator-when-you-have-multivalue-tables, but thought that this was too complicated for what I wanted to achieve – initial population would be troublesome, plus another interface would be required. I considered making the original automatic groups into manual groups then creating new (truly) automatic attribute based groups, and then nesting those within the manual group – but this would involve “change”, so this is now the long term aim, but will not be implemented immediately. Note that this method does not handle the explicit removes well either, they would be to be excluded within the filter.

The main “Automatic” bit: (EmployeeStatus = ‘Enabled’) and (emailAddressPresent= ‘True’) and ((Site = ‘NORTH’) or (Site = ‘SOUTH’)) and (Department = ‘FIN’) = Enabled accounts, who have an email address (this is a distribution list), who are on Site NORTH or SOUTH and whose Department attribute is “FIN” Note that EmployeeStatus, emailAddressPresent and Site are custom attributes within the MV and Portal, that are populated via a classic import rules from HR/AD.

A little note about (emailAddressPresent= ‘True’), this MV attribute is populated on the import from AD. It is defined by the presence of a mail address that matches those that are valid for the organisation and that the persons msExchHomeServerName is present. It is then exported to the Portal with the same name, for use in these filters:

emailAddressPresent

Visual Basic .NET

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

Case"emailAddressPresent-ADMA-Import"

'AD attributes required: mail and msExchHomeServerName

If csentry("mail").IsPresent And csentry("msExchHomeServerName").IsPresent Then

Dimmail AsString=csentry("mail").Value

Dimsuffix()AsString=mail.Split("@")

'Valid/allowed email suffixes are defined in the following array (amend as appropriate):

(10-9-15) I had a few issues with the script referred to – namely the second to last line, which had “$importObject | Import-FIMConfig$undone.Count” , “$undone.Count” needs to (at least) be on a new line – it doesn’t seem to do anything anyway, so may just be removed….

I added a few more references to the filters, group names etc., as I discovered, during debugging, that my initial input file referred to the samAccountName and Filter, rather than the displayName plus Filter. Additionally, some groups had gone plus others renamed since I did the initial filter file – before the school summer holidays…, so the script highlights those.

Error suggested that the filter had not been applied, but it had. Further investigation shows that the order of the filter was incorrect – this and this and (that or that) and this…. should have been this and this and this and that or that.

Odd, did the entry via the portal – added OK..

Missing “]” from the end of the filter

Validating each group membership will take some time…. that’s the job I’ll start tomorrow…..

(11-9-15) OK, so been validating today….didn’t really fancy the idea of doing this group by group, so dug out some old scripts and put together some new ones to make my life easier and consistent….

First – one of my old VBS scripts to get the desired group members from AD:

GetGroupMembers.vbs

Visual Basic

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

ConstADS_SCOPE_SUBTREE=2

ConstForWriting=2

'

strLDAP="OU=GroupOU,DC=contoso,DC=com"

'

SetobjConnection=CreateObject("ADODB.Connection")

SetobjCommand=CreateObject("ADODB.Command")

objConnection.Provider="ADsDSOObject"

objConnection.Open"Active Directory Provider"

SetobjCommand.ActiveConnection=objConnection

objCommand.Properties("Page Size")=1000

objCommand.Properties("Searchscope")=ADS_SCOPE_SUBTREE

objCommand.CommandText=_

"SELECT distinguishedName FROM 'LDAP://"&strLDAP&"' WHERE objectCategory='group'"

Still waiting for the second script to output some of the larger groups…. once complete, I’ll use WinMerge to compare the resulting files. If I constructed all of the XPath filters correctly, they should all match!

2. I have significant disparity between production AD and FIM in terms of users present in each system and the rules defining who should be a member of a group. I have a users deletion workflow in FIM that runs continuously, while in production, a task is run manually at regular intervals to delete users who are in scope of deletion – these are out of step. Additionally, some members of groups in production are disabled, some of these are the same as those that are no longer present in FIM – the workflow has already deleted them. The simple solution is to remove all disabled users from all automatic groups in production – this is something that I have been wanting to do for a while anyway…

3. Some of my filters were incorrect – minor changes.

(16-09-15) – So I have now removed all disabled users from Automatic groups – the WinMerge results are much nicer now – only 46 files are different. Some results are unusual, where a user may be a member in Prod, but not FIM or vice versa – I now need to work through these to see what needs to be sorted.

On a side note….. a colleague at another university remarked that he wished to replicate the filtering method that he already had in place for group management – namely LDAP queries. Now although the FIM portal can’t natively do a direct LDAP query, you can always populate MV and Portal attributes with the data that you wish to query upon. For example within my org the DN of users is not a simple matter, so the DN is calculated by a classic import flow rule from HR. Thus, the DN is already stored in the MV. I could choose to export that data into a new Portal attribute and then make that part of the group filter.

This is one of the things that I really like about FIM – the ability to make it do what you want, with a little creative thinking!